Is it still possible to run malware in a browser using JavaScript and Rowhammer? Yes, yes it is (slowly)

Is it still possible to run malware in a browser using JavaScript and Rowhammer? Yes, yes it is (slowly)

Boffins from Vrije Universiteit in Amsterdam and ETH in Zurich have bypassed memory chip defenses to execute a successful browser-based Rowhammer side-channel attack dubbed SMASH.


Rowhammer refers to a technique that computer security researchers began to explore around 2014: "hammering" RAM chips with a series of rapid write operations. This process abuses the electronics enough to flip stored bits, potentially introducing errors that can be exploited for further gain.

Initially, Rowhammer attacks had to be conducted locally, though by 2016 [PDF], the technique had been refined to work remotely using JavaScript in, say, a web browser.


Memory specifications introduced in 2014 added optional support for a mitigation called Target Row Refresh (TRR), a DRAM command available to memory controllers to refresh memory cell rows adjacent to particularly active areas as a way to prevent corruption.

But computer scientists from VU, ETH, and Qualcomm last year described a way to defeat TRR locally in a paper titled, TRRespass: Exploiting the Many Sides of Target Row Refresh [PDF].


It's Hammer Time!


On Tuesday, some of those same researchers and some new ones – Finn de Ridder, Pietro Frigo, Emanuele Vannacci, Herbert Bos, Cristiano Giuffrida, and Kaveh Razavi – unveiled SMASH (Synchronized MAny-Sided Hammering), a web-based attack on Mozilla's Firefox browser that overcomes TRR and several challenges associated with executing Rowhammer via JavaScript.


Their SMASH attack can slowly but arbitrarily read and write memory in Firefox (v. 81.0.1) on an updated Ubun ..